init

3.RKE2/traefik/.env.example

@@ -0,0 +1 @@
+HOSTNAME=traefik.domain.ru

3.RKE2/traefik/.gitignore

@@ -0,0 +1 @@
+.env

3.RKE2/traefik/data/custom/example/app.yaml

@@ -0,0 +1,17 @@
+http:
+  routers:
+    app-domain-ru-route:
+      entryPoints:
+      - https
+      service: app-domain-ru-service
+      rule: Host(`$APP_HOSTNAME`)
+      tls:
+        certResolver: letsEncrypt
+  services:
+    app-domain-ru-service:
+      loadBalancer:
+        passHostHeader: true
+        servers:
+        - url: http://192.168.20.101
+        - url: http://192.168.20.102
+        - url: http://192.168.20.103

3.RKE2/traefik/data/custom/rke-custom.yaml

@@ -0,0 +1,29 @@
+tcp:
+ routers:
+    rke2-api:
+      entryPoints:
+        - k8s-api
+      rule: "HostSNI(`*`)"
+      service: rke2-api-service
+      tls:
+        passthrough: true
+    rke2-connect:
+      entryPoints:
+        - rke2-connect
+      rule: "HostSNI(`*`)"
+      service: rke2-connect-service
+      tls:
+        passthrough: true
+ services:
+   rke2-api-service:
+     loadBalancer:
+       servers:
+         - address: 192.168.20.101:6443
+        #  - address: 192.168.20.102:6443
+        #  - address: 192.168.20.103:6443
+   rke2-connect-service:
+     loadBalancer:
+       servers:
+         - address: 192.168.20.101:9345
+        #  - address: 192.168.20.102:9345
+        #  - address: 192.168.20.103:9345

3.RKE2/traefik/data/traefik.yaml

@@ -0,0 +1,39 @@
+global:
+  checkNewVersion: true
+
+log:
+  level: error
+  filePath: /data/stdout.log
+  format: common
+
+serversTransport:
+  insecureSkipVerify: true
+
+api:
+  dashboard: true
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+  k8s-api:
+    address: ":6443"
+  rke2-connect:
+    address: ":9345"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    directory: /custom
+    watch: true
+
+certificatesResolvers:
+  letsEncrypt:
+    acme:
+      email: mail@gmail.com
+      storage: acme.json
+      httpChallenge:
+        entryPoint: http

3.RKE2/traefik/docker-compose.yml

@@ -0,0 +1,44 @@
+version: '3.9'
+services:
+  traefik:
+    image: traefik
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - 80:80
+      - 443:443
+      - 6443:6443
+      - 9345:9345
+    extra_hosts:
+      kubernetes.default: 127.0.0.1
+    cap_add:
+      - NET_BIND_SERVICE
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./data/traefik.yml:/traefik.yml:ro
+      - ./data/custom/:/custom/:ro
+      - ./data/acme.json:/acme.json
+      - ./logs/stdout.log:/data/stdout.log:rw
+      - ./logs/access.log:/data/access.log:rw
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=https"
+      - "traefik.http.routers.traefik.rule=Host(`$HOSTNAME`)"
+      - "traefik.http.routers.traefik.tls=true"
+      - "traefik.http.routers.traefik.tls.certresolver=letsEncrypt"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.services.traefik-traefik.loadbalancer.server.port=888"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=http"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+    networks:
+      - webproxy
+
+networks:
+  webproxy:
+    name: webproxy

3.RKE2/traefik/init.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+touch data/acme.json
+chmod 600 data/acme.json
+
+touch logs/stdout.log
+touch logs/access.log